[kerberos-discuss] Interaction between krb5, gssd, and NFSv4

Tue, 19 Jan 2010 17:28:01 -0600 

I'm trying to untangle how credentials are mapped when NFSv4 is used,
but things aren't making sense.  I think that this is because kinit(1)
doesn't purge old entries from the RPC GSS cache.

With the following setup:

$ getent passwd u500 u501
u500:x:500:1::/tmp:/bin/bash
u501:x:501:1::/tmp:/bin/bash

$ id
uid=500(u500) gid=1(other)

$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: u501 at SOME.COM

Valid starting                Expires                Service principal
01/19/10 21:57:32  01/20/10 05:57:32  krbtgt/SOME.COM at SOME.COM
        renew until 01/26/10 21:57:32

$ nfsstat -m `pwd`
/mnt/k5i from server:/path/k5i
 Flags:
vers=4,proto=tcp,sec=krb5i,hard,intr,link,symlink,acl,rsize=1048576,wsize=1048576,retrans=5,timeo=600
 Attr cache:    acregmin=3,acregmax=60,acdirmin=30,acdirmax=60


$ (id ; klist ) > 1

I expected that "1" would be owned by u501, not u500.  However, that
seems not to be the case.

$ ls -l
total 1
-rw-r--r--   1 u500     other        276 Jan 19 21:59 1

I had expected it to be u501 because nfssec(5) says:

     krb5     Use Kerberos  V5  protocol  to  authenticate  users
              before granting access to the shared filesystem.

     krb5i    Use  Kerberos  V5  authentication  with   integrity
              checking  (checksums)  to  verify that the data has
              not been tampered with.

That is, I assumed that krb5i is krb5 plus integrity.  In this case,
the authenticity of the user seems to be based on the UID of the user
not on the kerberos principal.

However, kdestroy seems to change things a bit...

$ kdestroy

$ ls -l
.: Permission denied
total 3

$ kinit u501
Password for u501 at SOME.COM:

$ ls -l
total 4
-rw-r--r--   1 u500     other        276 Jan 19 21:59 1
-rw-r--r--   1 u500     other          0 Jan 19 22:36 2
-rw-r--r--   1 u500     other          0 Jan 19 22:40 abc123

$ touch 3

$ ls -l
total 5
-rw-r--r--   1 u500     other        276 Jan 19 21:59 1
-rw-r--r--   1 u500     other          0 Jan 19 22:36 2
-rw-r--r--   1 u501     other          0 Jan 19 22:48 3
-rw-r--r--   1 u500     other          0 Jan 19 22:40 abc123

Looky there!  "3" was created as u501!  A bit more digging around
suggests that it is actually the kdestroy that is helping out in
purging the relevant item from the RPC GSS cache in the kernel.

Does kinit.c need a call to krpc_sys(KRPC_REVAUTH, ...) like
kdestroy.c has?

-- 
Mike Gerdts
http://mgerdts.blogspot.com/

Reply via email to